GPG or The GNU Privacy Guard is a standard and tool for encrypting and signing pretty much any data or communication, it consists of a pair of keys; one private and one public, to sign something a non-shareable password must be entered.
This guide is mainly intended for programmers wanting to have their keys ready and set to sign their emails and/or commits.
If the keys are in order, both GPG files with public and private blocks then skip to Route #2: Use an existing GPG key.
Route #1: Generate the GPG key
gpg --full-gen-key
Select RSA as the algorithm
Request the maximum keysize (ref: 4096)
Specify the expiration date
Specify Name, Email and Comment (if any)
Take the following as reference:
Real name: Your Name
Email address: <your_email>
Comment:
You selected this USER-ID:
"Your Name <your_email>"
Write a password when asked and that’s it
Note: Now the GPG keys can be used and exported, it’s recommended to set a trust level. Remember that the private key is only for you to have (unless you really trust uploading it to a service).
Backup the GPG keys
This is important in case of changing or losing the operative system.
Export the public key
gpg --armor --export keyIDNumber
Export the private key
gpg --export-secret-keys keyIDNumber
Route #2: Use an existing GPG key
if there is no GPG key then go back to Route #1: Generate the GPG key.
1. Import the public key
gpg --import pub.gpg
2. Import the private key
gpg --allow-secret-key-import --import pri.gpg
Provide the passphrase for the private key to be imported.
Check the public key
gpg --list-keys
Check the private key
gpg --list-secret-keys --keyid-format LONG
3. Set a trust level
It’s recommended to set the key to a trust level, if so, set a 5, so it can be used as an owned key.
gpg --edit-key (keyIDNumber)
gpg> trust
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately (set this one)
m = back to the main menu
Route #3: Set up the GPG key to commit
if you want that sweet sweet Verified mark for every commit on your preferred Git platform, you need to do the following:
Having both the GPG and Git platform account (confirmed) with the same email address
Adding your GPG [public] key to your account
Setting Git [Local or Global] to sign commits
The next configuration must be applied inside every project folder where is required to sign commits with the selected key. In the case of a system-wide configuration use the --global
parameter instead of --local
.
Set Username
git config --local user.name "USERNAME"
Set Email
git config --local user.email "[email protected]"
Set GPG key
git config --local user.signingkey keyIDNumber
Require signing on every commit
git config commit.gpgsign true
Finally, elaborating in detail about any feedback and/or suggestion about this procedure is appreciated.